Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] Barco ClickShare Multiple Script Remote Command Execution

High

Synopsis

The Barco ClickShare CSM-1 is a wireless presentation and collaboration system, that allows any meeting participant to share content on the central meeting room screen. Like many modern devices, it uses a web server for remote device configuration and maintenance. By default, the device installs with default administrator credentials (admin / admin) that can be changed after authenticating. These credentials can also be used to exploit multiple post-authentication remote command execution flaws.

CVE-2015-6532 - The first issue is due to the getLastCommitTimeStamp.php script not properly sanitizing user-supplied input to the id POST parameter. Supplying a Unix-based command between semi-colons (e.g. ;id;), the application will execute the command on the underlying operating system. Since the web server (lighttpd/1.4.26) runs with root privileges, this flaw can be used to take complete control of the device. Version 01.05.00.0032 was tested and found to be vulnerable, while 01.07.00.33 was not. Barco has since said that the 01.0.5x line has been "withdrawn as beta", while fixing it in a different code tree.

CVE-2015-6533 - The second issue is due to the /index.php/centralstore script not properly sanitizing user-supplied input when called with the docommand command. Supplying a Unix-based command between single quotes and semi-colons (e.g. ' ; id ; '), the application will execute the command on the underlying operating system. Since the web server (lighttpd/1.4.26) runs with root privileges, this flaw can be used to take complete control of the device. Based on the command invoked, the POST parameter required will change. For example, the addObject command would inject via the name parameter, and the unpairDongle command would inject via the serialnr parameter. Version 01.07.00.0033, the latest available at the time of testing, is affected.

While not a vulnerability, Tenable engineers noticed a clever utility included with the application, and would like to give props to Barco engineers:


# cat cn.php
<?php
function get_chuck_norris_quote() {
        $quotes = array();
        $quotes[] = "Chuck Norris calls the Button a dongle. Everyone agrees.";
        $quotes[] = "Chuck Norris installs version 1.0.0.0. Already has audio support.";
        $quotes[] = "Chuck Norris shares his screen and gives a presentation. Then he presses the Button.";
        $quotes[] = "Chuck Norris can access private methods.";
        $quotes[] = "Chuck Norris laughs in the face of unresolved symbol errors.";
        $quotes[] = "Chuck Norris rewrote the Google search engine from scratch.";
        $quotes[] = "When Alexander Bell invented the telephone he had 3 missed calls from Chuck Norris.";
        $quotes[] = "Chuck Norris doesn't call the wrong number. You answer the wrong phone.";
        $quotes[] = "Chuck Norris can cut through a hot knife with butter.";
        $quotes[] = "Chuck Norris tweets about having a bad day. Global economy slips into depression.";
        $quotes[] = "Chuck Norris counted to infinity - twice.";
        $quotes[] = "Chuck Norris can slam a revolving door.";
        $quotes[] = "Chuck Norris can win a game of Connect Four in only three moves.";
        $quotes[] = "Chuck Norris can speak French in Russian.";
        $quotes[] = "Chuck Norris can count the number of corners in a circle.";

        return $quotes[array_rand($quotes, 1)];
}
?>

Tenable has created two plugins for testing this device. The first, barco_clickshare_detect.nbin (Plugin ID 77248) will identify and fingerprint the remote device. The second, barco_clickshare_default_creds.nasl (Plugin ID 77249) will test for the presence of the default credentials. The device does not provide a method for remotely obtaining the version of the firmware, so an all-in-one-plugin to test for this issue cannot be created.

Solution

Barco has provided updated firmware to address these issues. After a prolonged email thread trying to clarify fix version information, we believe we have it sorted out. Note that in some cases, you may appear to 'downgrade' to fix the issue, due to Barco maintaining several branches of code for each device. Please contact Barco for any clarification on this information.

  • CSM-1 Devices: 01.04.03.0006 (fixes both issues), 01.07.00.0033 (fixes getLastCommitTimeStamp.php only), and the 1.05.x line was "withdrawn as beta release"
  • CSC-1 Devices: 01.09.00.0022 or 01.09.01.0004 (fixes both issues)

Disclosure Timeline

2014-07-14 - Issue discovered, lost in a Tenable bug tracker
2015-06-25 - Asked Vendor for desired vulnerability reporting method via web form
2015-06-26 - Asked Vendor for desired vulnerability reporting method via Twitter
2015-06-27 - Vendor replied via Twitter, asked for DM with products affected
2015-06-28 - Vendor (Clickshare PM) replied via email asking for details
2015-06-28 - Full details sent to Clickshare PM
2015-07-01 - Vendor confirms vulnerability
2015-08-11 - Pinged vendor on status, no reply
2015-08-20 - CVE Requested and Assigned
2015-09-08 - Pinged vendor on status
2015-09-09 - Vendor reply, no ETA on fixes
2015-11-24 - Pinged vendor for update
2015-12-04 - Vendor says fixed firmware coming mid-Dec for CSC-1, Q12016 for CSM-1
2015-12-11 - Release scheduled for Dec 14
2015-12-11 - v01.09.00.22 released for CSC-1
2016-02-17 - Pinged vendor for update
2016-02-23 - Vendor says v1.4.2 released for CSM-1 covering "most of the issues reported".
2016-02-23 - Pinged vendor to confirm version, as it is substantially different than prior scheme
2016-03-10 - Vendor indicates the issue not fixed in latest release as planned. Will get back to us with new ETA.
2016-03-21 - Vendor confirms it was fixed in CSC-1 01.09.00.0022 and CSM-1 01.04.01.0001. Tenable asks for clarification on CSM, as version appears earlier than what we tested.
2016-03-22 - Tenable asks for clarification on a 01.04.x fix when 01.05.x was tested
2016-03-23 - Vendor indicates 01.05.x tree was beta, and the 01.04.x fix is a stable tree, but still calls fix "1.4.2" which is presumably later than 01.04.01.0001
2016-03-24 - Tenable asks for one more round of clarification for the versioning
2016-03-25 - Vendor confirms CSC-1 / CSM-1 firmware doesn't share firmware or numbering scheme

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]